Are there any easy diagnostic steps I can take to check if my system has been hacked?

Support
1

I am very careful with my system but paranoia sets in and I’m not overly technical, is there any easy things to look at to rule out intrusion attempts?

2

Do you have reason to believe there was such attempt?
(I suppose the answer is “yes” - else you would not have asked :wink:

What was that reason(s)?
… beyond paranoia setting in :wink:

… system logs
to view them, journalctl is the command
maybe run it with sudo - it will show more/different events
modify it to review the logs by past reboots, by time frame, by keywords …

4

well I use KeePassXC, hardened with a Yubikey. It is probably the most critical thing on my computer and while I had it open, it seemed to make a few attempts to edit entries by itself, when it wasn’t even the window on top. No changes could be made because it requires my yubikey to make changes, but it sort of spooked me to think someone else might have access to that database

Ok, I brought up the log via sudo journalctl

funny enough, I don’t understand much of the entries but there is nothing in there after 20 july 2022, looks like when I switched from kernel 5.10 to 5.15

5

… if you are in doubt, for whatever reason
that may be valid for you but appear invalid to … me
… change your key - and your passwords

not to scare you - you already know …
covering tracks is part of such an intrusion

Ask yourself:
How likely is that scenario - am I a worthy target?
How would I become a target?

is a pretty weak description
and such a hack would not only target you specifically, but also make sure you would not just be able to accidentally spot it by looking at … what exactly?

my estimation:
very, very … very unlikely

so you did not modify or adjust the command
read the man (manual) page …
because it is indeed impossible that there are no entries in the log at all since that time
even every normal, uneventful, boot generates lots of entries

6

this really is a rabbit hole, do not venture more than you absolutely should. there are measures already put in place both by the kernel and the OS for reasonable prevention.

there are security auditing tools for recommendations on fool-proofing your setup, lynis(recommended);
https://wiki.archlinux.org/title/List_of_applications/Security#Threat_and_vulnerability_detection

besides that you can use rkhunter (possibly already installed) for rootkits and other backdoors, just ran a check be prepared for storm of warnings nothing significant;
https://wiki.archlinux.org/title/Rkhunter

and all inclusive security guide can be found at;
https://wiki.archlinux.org/title/Security

1 Like